ITGumbo: spicing IT up

Cyberthieves could steal data from IT systems of T.J.Maxx parent company TJX. How robust is the wireless security mechanism? In a modern office all systems may work in a wireless mode, while you are working in your cabin an hacker may be sitting in a car nearby and reading all data flowing in the air. Data that was earlier contained in a wire and required physical access to the system for intrusion is suddenly insecure. The organization firewall protected all the systems behind it and the internal network was secure. Now do you need to keep a watch on what is going on outside your office. Any other cause of security failure other than insecure wireless access points must be considered an inappropriate information security policy.

Wireless Security

Wired Equivalent Privacy (WEP) was the native security protocol for Wi-Fi. This protocol required manual configuration of data encryption key on wireless access point (AP) and wireless clients. This was a static configuration for all communication on Wi-Fi interface until the key is manually changed. The 40-bit key was also used for client authentication and could be easily cracked.

The Wi-Fi Protected Access (WPA) and WPA2 are the more robust security mechanism. A RADIUS server authenticates the client that connects to the AP in the network and then assigns the key, therefore an unauthorized user cannot access the organization wireless network. Extensible Authentication Protocol (EAP) is used for user authentication. The Temporal Key Integrity Protocol (TKIP) uses 802.1X to produce dynamic hierarchical key for user sessions and assigns them to AP and client. The dynamic key configuration on AP and wireless clients has a provision to enable the use of a new key for every message exchanged, this leaves very little time for key hacking. WPA2 has a new encryption scheme Advanced Encryption Standard (AES) in addition to TKIP and 802.1X/EAP. AES is adopted by US Department of Commerce and National Institute of Standards and Technology. Reference.

The other mechanism of access control on the wireless network is MAC address filter, only the client with a MAC address from a pre-configured MAC address list on AP is allowed to connect to AP. For communication with external world an end-to-end IPsec tunnel may be configured between the wireless client and the external host/server. IPsec is an additional security layer below WEP/WPA. To protect your wireless office from intruders ensure that the access point and NIC on your laptop/desktop have WPA. Check list to protect an organization against wardrivers.